Presentation is loading. Please wait.

Presentation is loading. Please wait.

Purpose of Use (POU) Vocabulary HL7 Security WG Presentation Kathleen Connor VA (ESC) January 2012.

Similar presentations


Presentation on theme: "Purpose of Use (POU) Vocabulary HL7 Security WG Presentation Kathleen Connor VA (ESC) January 2012."— Presentation transcript:

1 Purpose of Use (POU) Vocabulary HL7 Security WG Presentation Kathleen Connor VA (ESC) January 2012

2 Problem with POU Code Systems Current POU Code Systems are not comprehensive, or consistent – HL7 Vocabulary ActHealthInformationPrivacyReason Codes Contains most of the other concepts and fair definitions – HL7 DAM POU Contains same concepts as XSPA and many from ISO, but not well defined – XSPA SAML and XACML Profile POU No definitions – ISO POU codes were not developed for purpose of categorizing security policies – NHIN Authorization NHIN Authorization Framework Specification v 2.0 POU codes are very granular and some are about policy not POU NHIN Authorization Framework Specification v 2.0 As a result, these POU codes are not interoperable Yet POU is a critical concept in many privacy and security standards

3 Difference in POU Code Systems ISO: POU code system provides “a framework for classifying the various specific purposes that can be defined and used by individual policy domains”. ASTM (2005) POU establishes the context and conditions of data use at a specific point in time, and within a specific setting. RBAC Constraint: – Purpose of use in relation to permission constraints provides context to requests for information resources. – Purpose of use allows the service to consult its policies to determine if the user’s claims meet or exceed those needed for access control. NwHIN: Coded value representing the user's purpose in issuing the request

4 POU Harmonization Approach Map all POU code system Support mapping from all POU code system to the HL7 POU code system Determine criteria for selection – e.g., NwHIN “Abuse” is covered by HL7 ActPrivacyPolicy, so not needed as a POU code Determine Gaps Create consistent definitions Nest related detailed POUs under parents that are more universally applicable – Supports localized value sets without extension

5 POU Harmonization Proposal Treatment / Payment ParentChildrenDefinition Head Code: Purpose of Use Definition: Reason for perform one or more operations on information, which may be permitted by source system’s security policy in accordance with one or more privacy policies and consent directives. Description: The rationale or purpose for an act relating to the management of personal health information, such as collecting personal health information for research or public health purposes. Usage Note: The policy set to be used in situations where multiple (potentially conflicting) contextually sensitive policies exist for identical users and identical information objects. TreatmentTo perform one or more operations on information for provision of health care. Care Management Treatment To perform one or more operations on information for provision of health care coordination. Clinical Trial TreatmentTo perform one or more operations on information for provision of health care within a clinical trial. Emergency TreatmentTo perform one or more operations on information for provision of immediately needed health care for an emergent condition. Population Health Treatment To perform one or more operations on information for provision of health care to a population of living subjects. PaymentTo perform one or more operations on information for conducting financial, or contractual activities related to payment for provision of health care. Eligibility Determination To perform one or more operations on information used for conducting eligibility determination for coverage in a program or policy. May entail review of financial status or disability assessment. Claims AttachmentTo perform one or more operations on information for provision of additional clinical evidence in support of a request for coverage or payment for health services. Coverage AuthorizationTo perform one or more operations on information for conducting prior authorization or predetermination of coverage for services. Remittance AdviceTo perform one or more operations on information about the amount remitted for a health care claim.

6 ParentChildrenDefinition Healthcare Business Operations To perform one or more operations on information used for conducting administrative and contractual activities related to the provision of health care AccreditationTo perform one or more operations on information for conducting activities related to meeting accreditation criteria. ComplianceTo perform one or more operations on information used for conducting activities required to meet a mandate. DeceasedTo perform one or more operations on information used for handling deceased patient matters. DirectoryTo perform one or more operation operations on information used for facility patient directories. DonationTo perform one or more operations on information used for cadaveric organ, eye or tissue donation FraudTo perform one or more operations on information used for fraud detection and prevention processes. GovernmentTo perform one or more operations on information used within government processes. Member AdministrationTo perform one or more operations on information to administer health care coverage to an enrollee under a policy or program. LegalTo perform one or more operations on information for conducting activities required by legal proceeding. Outcome MeasureTo perform one or more operations on information used for assessing results and comparative effectiveness achieved by health care practices and interventions. Patient AdministrationTo perform one or more operations on information used for operational activities conducted to administer the delivery of health care to a patient. Performance MeasureTo perform one or more operations on information used for monitoring performance of recommended health care practices and interventions. Program ReportingTo performance or more operations on information used for conducting activities to meet program accounting requirements. Quality ImprovementTo perform one or more operations on information used for conducting administrative activities to improve health care quality. Records ManagementTo perform one or more operations on information used within the health records management process. System AdministratorTo perform one or more operations on information to administer the electronic systems used for the delivery of health care TrainingTo perform one or more operations on information used in training and education. Healthcare Business Operations

7 ParentChildrenDefinition MarketingTo perform one or more operations on information for marketing services and products related to health care. Public Health To perform one or more operations on information for conducting population health activities, such as the reporting of notifiable conditions. DisasterTo perform one or more operations on information used for provision of immediately needed health care to a population of living subjects located in a disaster zone. Patient SafetyTo perform one or more operations on information in processes related to ensuring the safety of health care. ThreatTo perform one or more operations on information used to prevent injury or disease to living subjects who may be the target of violence. ResearchTo perform one or more operations on information for conducting scientific investigations to obtain health care knowledge. Clinical Trial ResearchTo perform one or more operations on information for conducting scientific investigations in accordance with clinical trial protocols to obtain health care knowledge. Patient Request To perform one or more operations on information in response to a patient's request. FamilyTo perform one or more operations on information in response to a request by a family member authorized by the patient. Power of AttorneyTo perform one or more operations on information in response to a request by a person appointed as the patient's legal representative. Support networkTo perform one or more operations on information in response to a request by a person authorized by the patient. Marketing, Public Health, Research, Patient Request

8 ParentChildrenDefinition OverrideTo perform one or more operations on information to which the patient has not consented as deemed necessary by authorized entities for providing care in the best interest of the patient; providing immediately needed health care for an emergent condition; or for protecting public or third party safety. Emergency Treatment Override To perform one or more operations on information to which the patient has not consented by authorized entities for treating a condition which poses an immediate threat to the patient's health and which requires immediate medical intervention. Professional Judgment Override To perform one or more operations on information for providing health care to which the patient has not consented. Discussion: The patient, while able to give consent, has not. However the provider believes it is in the patient's interest to access the record without patient consent. Example: Psychiatric patient. Public Safety OverrideTo perform one or more operations on information for providing health care to which the patient has not consented. Discussion: The patient, while able to give consent, has not. However, the provider believes that access to masked patient information is justified because of concerns related to public safety. Third Party Safety Override To perform one or more operations on information for providing health care to which the patient has not consented. Discussion: The patient, while able to give consent, has not. However, the provider believes that access to masked patient information is justified because of concerns related to the health and safety of one or more third parties. Override

9 BACKGROUND: POU CODE SYSTEMS

10 Current Enumerations of POU Codes – Not Defined, Comprehensive, or Consistent DAM POUXSPA SAML Profile POU TREATMENT, PAYMENT, OPERATIONS, EMERGENCY, MARKETING, RESEARCH, REQUEST, PUBLICHEALTH XSPA XACML Profile POU

11 HL7 POU Code System ActHealthInformationPrivacyReasonNote - Needs a Value Set The rationale or purpose for an act relating to the management of personal health information, such as collecting personal health information for research or public health purposes. Treatment – Specializable ConceptTREATProvision of healthcare to a subject of care Emergency TreatmentETREATProvision of emergency healthcare Population HealthPOPHLTHProvision of healthcare for populations Care ManagementCAREMGTCoordination of care provision typically overseen by a healthcare payer Clinical TrialCLINTRLHealthcare provided or withheld in the course of conducting research Healthcare Payment– Specializable Concept HPAYMTAdministrative, financial, and contractual processes related to payment for the provision of healthcare Healthcare Operations– Specializable Concept HOPERATAdministrative and contractual processes required to support the provision of healthcare Quality Improvement HQUALIMPOperational activities conducted for the purposes of improving healthcare quality Outcome Measure HOUTCOMSOperational activities conducted for the purposes of assessing the results of healthcare ComplianceHCOMPLOperational activities required to meet a mandate LegalHLEGALOperational activities required by legal proceedings Program Reporting HPRGRPOperational activities conducted to meet program accounting requirements AccreditationHACCREDOperational activities conducted for the purposes of meeting of criteria defined by an accrediting entity Patient Administration PATADMINOperational activities conducted to administer the delivery of healthcare to a patient Member Administration MEMADMINOperational activities conducted to administer healthcare coverage to an enrollee under a policy or program System Administration HSYSADMINOperational activities conducted to administer the electronic systems used for the delivery of healthcare Patient SafetyPATSFTYOperational activities conducted for the purposes of increasing the safety of healthcare PopulationHealth - Specializable ConceptPOPHLTHActivities conducted for the purposes of population health, such as the reporting of notifiable conditions Healthcare Research– Specializable Concept HRESCHActivities conducted for the purposes of obtaining healthcare knowledge Healthcare Marketing– Specializable Concept HMARKTActivities conducted for the purposes of marketing services and products that are typically related to healthcare

12 ISO/TS Purpose for POU ISO/TS 14265:2011 Health Informatics - Classification of purposes for processing personal health information defines a set of high-level categories of purposes for which personal health information can be processed This is in order to provide a framework for classifying the various specific purposes that can be defined and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of health care services and for the communication of electronic health records across organizational and jurisdictional boundaries The scope of application of ISO/TS 14265:2011 is limited to Personal Health Information as defined in ISO 27799, information about an identifiable person that relates to the physical or mental health of the individual, or to provision of health services to the individual

13 ISO/TS POU

14 NHIN Authorization Framework Specification v Purpose of Use Attribute This element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:purposeofuse”7. The value of the element is a child element, “PurposeOfUse”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification. The PurposeOfUse element shall contain the coded representation of the Purpose for Use that is in effect for the request. An example of the syntax of this element is as follows: Codes are assigned as below. The codeSystem is defined to be “ ”. The codeSystemName is defined to be “nhin-purpose”. The value of the Purpose of Use attribute shall be a urn:hl7-org:v3:CE element, specifying the coded value representing the user's purpose in issuing the request, choosing from the value set listed in this specification. The codeSystem attribute of this element must be present, and must specify the OID of the "Purpose of Use" code system created by the NHIN Cooperative,

15


Download ppt "Purpose of Use (POU) Vocabulary HL7 Security WG Presentation Kathleen Connor VA (ESC) January 2012."

Similar presentations


Ads by Google